aws.hostedzone

Filters

query-logging-enabled

Parent base class for filters and actions.

properties:
  state:
    type: boolean
  type:
    enum:
    - query-logging-enabled
required:
- type

Permissions - route53:GetQueryLoggingConfig, route53:GetHostedZone, logs:DescribeSubscriptionFilters

shield-enabled

Base class with helper methods for dealing with ARNs of resources protected by Shield

properties:
  state:
    type: boolean
  type:
    enum:
    - shield-enabled
required:
- type

Permissions - shield:ListProtections

Actions

delete

Action to delete Route 53 hosted zones.

It is recommended to use a filter to avoid unwanted deletion of R53 hosted zones.

If set to force this action will wipe out all records in the hosted zone before deleting the zone.

example:

policies:
  - name: route53-delete-testing-hosted-zones
    resource: aws.hostedzone
    filters:
      - 'tag:TestTag': present
    actions:
      - type: delete
        force: true
properties:
  force:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - route53:DeleteHostedZone

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App
properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

set-query-logging

Enables query logging on a hosted zone.

By default this enables a log group per route53 domain, alternatively a log group name can be specified for a unified log across domains.

Note this only applicable to public route53 domains, and log groups must be created in us-east-1 region.

This action can optionally setup the resource permissions needed for route53 to log to cloud watch logs via set-permissions: true, else the cloud watch logs resource policy would need to be set separately.

Its recommended to use a separate custodian policy on the log groups to set the log retention period for the zone logs. See custodian schema aws.log-group.actions.set-retention

example:

policies:
  - name: enablednsquerylogging
    resource: hostedzone
    region: us-east-1
    filters:
      - type: query-logging-enabled
        state: false
    actions:
      - type: set-query-logging
        state: true
properties:
  log-group:
    default: auto
    type: string
  log-group-prefix:
    default: /aws/route53
    type: string
  set-permissions:
    type: boolean
  state:
    type: boolean
  type:
    enum:
    - set-query-logging
required:
- type

Permissions - route53:GetQueryLoggingConfig, route53:CreateQueryLoggingConfig, route53:DeleteQueryLoggingConfig, logs:DescribeLogGroups, logs:CreateLogGroup, logs:GetResourcePolicy, logs:PutResourcePolicy

set-shield

Enable shield protection on applicable resource.

setting sync parameter will also clear out stale shield protections for resources that no longer exist.

properties:
  state:
    type: boolean
  sync:
    type: boolean
  type:
    enum:
    - set-shield
required:
- type

Permissions - shield:CreateProtection, shield:ListProtections